Deploying Windows Rights Management Services …...5 Deploying Windows Rights Management Services...

Deploying Windows Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide

Microsoft Corporation

Published: October 2006

Author: Brian Lich

Editor: Carolyn Eller

Abstract

This step-by-step guide provides instructions for deploying Microsoft Office SharePoint

Server 2007 in a Microsoft Windows Rights Management Services (RMS) with Service

Pack 2 environment. It includes the necessary information for installing and configuring

RMS, installing and configuring Office SharePoint Server 2007 in the newly created RMS

infrastructure, and verifying that Office SharePoint Server 2007 documents can be rights-

protected and consumed.

Information in this document, including URL and other Internet Web site references, is

subject to change without notice. Unless otherwise noted, the example companies,

organizations, products, domain names, e-mail addresses, logos, people, places, and

events depicted herein are fictitious, and no association with any real company,

organization, product, domain name, e-mail address, logo, person, place, or event is

intended or should be inferred. Complying with all applicable copyright laws is the

responsibility of the user. Without limiting the rights under copyright, no part of this

document may be reproduced, stored in or introduced into a retrieval system, or

transmitted in any form or by any means (electronic, mechanical, photocopying, recording,

or otherwise), or for any purpose, without the express written permission of

Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other

intellectual property rights covering subject matter in this document. Except as expressly

provided in any written license agreement from Microsoft, the furnishing of this document

does not give you any license to these patents, trademarks, copyrights, or other

intellectual property.

© 2006 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, SharePoint,MS-DOS, SQL Server, Windows, Windows NT,

and Windows Server are either registered trademarks or trademarks of

Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks

of their respective owners.

Contents

Deploying Windows Rights Management Services with Microsoft Office SharePoint

Server 2007 Step-By-Step Guide .................................................................................... 5

About this Guide .............................................................................................................. 5

What This Guide Does Not Provide ............................................................................. 6

Deploying RMS in a Test Environment ............................................................................ 6

Requirements for RMS with Service Pack 2.................................................................... 8

Steps for Deploying RMS with Office SharePoint Server 2007 ....................................... 9

Step 1: Setting up the Infrastructure ............................................................................ 9

Configure the domain controller (DC) ....................................................................... 9

Configure the computer to be used as the RMS cluster (RMS-SRV) ..................... 12

Configure the Office SharePoint Server 2007 server (SPS-SRV) .......................... 14

Configure the RMS client computer (RMS-CLNT) .................................................. 16

Step 2: Installing and Configuring RMS on RMS-SRV .............................................. 17

Add Application Server role to RMS-SRV ............................................................... 18

Install Message Queuing ........................................................................................ 18

Install Microsoft SQL Server 2005 Standard Edition .............................................. 19

Install the RMS cluster ............................................................................................ 20

Configure RMS settings .......................................................................................... 20

Register the SCP in Active Directory ...................................................................... 21

Step 3: Installing and Configuring Office SharePoint Server 2007 on SPS-SRV ...... 21

Install Microsoft .NET Framework 2.0 ..................................................................... 21

Install Microsoft .NET Framework 3.0 ..................................................................... 22

Add Application Server role to SPS-SRV ............................................................... 22

Install Office SharePoint Server 2007 ..................................................................... 23

Configure Office SharePoint Server 2007 for RMS ................................................ 23

Step 4: Verifying RMS Functionality on RMS-CLNT .................................................. 26

5

Deploying Windows Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide

About this Guide This step-by-step guide walks you through the process of deploying Microsoft®

Windows® Rights Management Services (RMS) with Service Pack 2 and Microsoft Office

SharePoint® Server 2007 together in a test environment. During this process, you create

an Active Directory® domain, install and configure an RMS cluster on a Microsoft

Windows Server® 2003–based server, install the RMS Logging database server, install

Office SharePoint Server 2007, integrate the Office SharePoint Server 2007 with RMS,

and configure a Windows XP–based RMS client computer.

Upon completion of this step-by-step guide, you will be able to use the test environment

you just built as a baseline for the way it might be deployed in your organization.

Important

Microsoft Windows® SharePoint® Services 3.0 does not have the Microsoft

Office protector files that are required to automatically rights-protect a document

when it is uploaded. You must use Microsoft Office SharePoint Server 2007 to do

this.

As you complete the steps in this guide, you will:

Prepare the infrastructure for Active Directory directory services, RMS, and Office

SharePoint Server 2007.

Install and configure RMS.

Install and integrate Office SharePoint Server 2007 into your RMS environment.

Verify RMS and Office SharePoint Server 2007 integration after you complete the

configuration.

Office SharePoint Server 2007 provides an easy way to collaborate on documents by

posting them to an Office SharePoint Server 2007 site so that they can be accessed over

the corporate network. The goal of integrating an Office SharePoint Server 2007

deployment with an RMS infrastructure is to be able to protect documents that are

downloaded from the Office SharePoint Server 2007 server by users of any given

organization.

6

Note

Integrating Office SharePoint Server 2007 with RMS does not protect the

documents while they are on the server. When a document is uploaded to an

Office SharePoint Server 2007 site, the server will remove all protection until a

download request is received by the Office SharePoint Server 2007 server. At

this time, the Office SharePoint Server 2007 server will apply the appropriate

restrictions to the document before it is downloaded to the client computer.

What This Guide Does Not Provide

This guide does not provide the following:

Guidance for integrating Office SharePoint Server 2007 with RMS in a production

environment.

Complete technical reference for RMS. For more in-depth technical information about

RMS, see http://go.microsoft.com/fwlink/?LinkId=68637.

Complete information about Office SharePoint Server 2007. For more information,

see http://go.microsoft.com/fwlink/?LinkId=74460.

Deploying RMS in a Test Environment We recommend that you first use the steps provided in this guide in a test lab

environment. Step-by-step guides are not necessarily meant to be used to deploy

Microsoft products without accompanying documentation and should be used with

discretion as a stand-alone document.

Upon completion of this step-by-step guide, you will have a working RMS infrastructure

integrated with Office SharePoint Server 2007. You can then test and verify RMS and

Office SharePoint Server 2007 interoperability through the simple task of uploading a

Microsoft Office Word 2007 document to the Office SharePoint Server 2007 portal.

The test environment described in this guide includes four computers connected to the

Internet and using a clean installation of the following operating systems, applications,

and services:

http://go.microsoft.com/fwlink/?LinkId=68637


7

Computer Name Operating System Applications and Services

RMS-SRV Windows Server 2003 with

Service Pack 1 (SP1)

RMS, Internet Information

Services (IIS) 6.0, World

Wide Web Publishing

Service, Message Queuing

(also known as MSMQ), and

Microsoft SQL Server™ 2005

Standard Edition

DC Windows Server 2003 with

SP1

Active Directory, Domain

Name System (DNS)

SPS-SRV Windows Server 2003 with

SP1

Office SharePoint

Server 2007

RMS-CLNT Windows XP Professional

with Service Pack 2 (SP2)

Microsoft Office Word 2007

Note

If the RMS server is not connected to the Internet, it must be enrolled offline

before the provisioning of the RMS server is complete.

The computers form a private intranet and are connected through a common hub or

Layer 2 switch. This configuration can be emulated in a virtual server environment if

desired. This step-by-step exercise uses private addresses throughout the test lab

configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain

controller is named DC for the domain named cpandl.com. The following figure shows the

configuration of the test environment:

8

Requirements for RMS with Service Pack 2 The following table describes the minimum hardware requirements and

recommendations for running RMS with Service Pack 2.

Requirement Recommendation

Personal computer with one Pentium III

processor (800 megahertz (MHz) or higher)

Computer with two Pentium 4 processors

(1500 MHz or higher)

256 megabytes (MB) of RAM 512 MB of RAM

20 gigabytes (GB) of free hard disk space 40 GB of free hard disk space

One network adapter One network adapter

The following table describes the software requirements for running RMS on a Windows

Server 2003–based computer.

Software Requirement

Operating system Windows Server 2003, any editions except

Web Edition

File system NTFS file system is recommended

Messaging Message Queuing

Web services Internet Information Services (IIS)

ASP.NET must be enabled.

Active Directory RMS must be installed in an Active

Directory domain in which the domain

controllers are running Windows

Server 2000 with Service Pack 3 (SP3) or

later. All users and groups who use RMS to

acquire licenses and publish content must

have an e-mail address that is configured in

Active Directory.

9

Software Requirement

Database server RMS requires a database and stored

procedures to perform operations. In this

step-by-step guide you use Microsoft SQL

Server 2005 Standard Edition. In a

production environment, a separate

database server is recommended.

Steps for Deploying RMS with Office SharePoint Server 2007 If your test environment does not have Internet access, there are several installation files

that should be manually copied to each computer. For the Office SharePoint Server 2007

computer, you should copy the .NET Framework 2.0, the .NET Framework 3.0, and the

RMS with Service Pack 2 (SP2) client installation packages. For the RMS client computer,

you should copy the RMS with SP2 client, and for the RMS Server you should copy the

RMS with Service Pack 2 server installation package to the RMS server.

Step 1: Setting up the Infrastructure

Step 2: Installing and Configuring RMS on RMS-SRV

Step 3: Installing and Configuring Office SharePoint Server 2007 on SPS-SRV

Step 4: Verifying RMS Functionality on RMS-CLNT

Step 1: Setting up the Infrastructure

To prepare your test environment for installing RMS, you must complete the following

tasks:

Configure the domain controller (DC)

Configure the computer to be used as the RMS cluster (RMS-SRV)

Configure the Office SharePoint Server 2007 server (SPS-SRV)

Configure the RMS client computer (RMS-CLNT)

Configure the domain controller (DC)

To configure the domain controller DC, you must install Windows Server 2003, configure

TCP/IP properties, install Active Directory, raise both the forest and domain functional

levels to Windows Server 2003, create user accounts, and then assign these user

accounts an e-mail address.

10

First, install Windows Server 2003 as a stand-alone server.

To install Windows Server 2003, Standard Edition

1. Start your computer by using the Windows Server 2003 product CD. (You can

use any edition of Windows Server 2003 except the Web Edition to establish the

domain).

2. Follow the instructions that appear on your computer screen, and when prompted

for a computer name, type DC.

Next, configure TCP/IP properties so that DC has a static IP address of 10.0.0.1. In

addition, configure 10.0.0.1 as the IP address for the DNS server.

To configure TCP/IP properties on DC

1. Log on to DC as DC\ADMINISTRATOR.

2. Click Start, point to Control Panel, and point to Network Connections, double-

click Local Area Connection, and then click Properties.

3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.

4. Click the Use the following IP address option. In the IP address box, type

10.0.0.1. In Subnet mask box, type 255.255.255.0.

5. Click the Use the following DNS server addresses option. In the Preferred

DNS server box, type 10.0.0.1.

6. Click OK, and then click OK to close the Local Area Connection Properties

dialog box.

Next, configure the computer as a domain controller.

To configure DC as a domain controller

1. Click Start, and then click Run. In the Open box, type dcpromo, and then click

OK.

2. On the Welcome page of the Active Directory Installation Wizard, click Next.

3. Click Next, click the Domain controller for a new domain option, and then click

Next.

4. Select the Domain in a new forest option, and then click Next.

5. In the Full DNS name for new domain box, type cpandl.com, and then click

Next.

6. In the Domain NetBIOS name box, type CPANDL, and then click Next three

times.

7. Select the Install and configure the DNS server on this computer, and set

11

this computer to use this DNS server as its preferred DNS server option.

8. Select the Permissions compatible only with Windows 2000 or Windows

Server 2003 operating systems option, and then click Next.

9. In the Restore Mode Password box, type a strong password. In the Confirm

password box, type the password again, and then click Next.

10. Click Next.

11. When the Active Directory Installation Wizard is done, click Finish.

Note

You must restart the computer after you complete this procedure.

Next raise the forest functional level in Active Directory to Windows Server 2003.

Important

Once you raise a functional level in Active Directory, you cannot return it to its

original level.

To raise the forest functional level

1. Log on to DC as CPANDL\ADMINISTRATOR.

2. Click Start, point to Administrative Tools, and then click Active Directory

Domains and Trusts.

3. Right-click Active Directory Domains and Trusts, and then click Raise Forest

Functional Level.

4. Choose Windows Server 2003 from the list box, and then click Raise.

5. Click OK twice.

Next raise the domain functional level in Active Directory to Windows Server 2003.

To raise the domain functional level


Domains and Trusts.

2. Right-click CPANDL.COM, and then click Raise Domain Functional Level.

3. Choose Windows Server 2003 from the list box, and then click Raise.

4. Click OK twice.

Next, add the following user accounts: RMSSRVC, RMSADMIN, USER1, and USER2.

To add new user accounts


12

Users and Computers. This opens the Active Directory Users and

Computers Microsoft Management Console (MMC) snap-in.

2. In the console tree, expand cpandl.com, right-click Users, point to New, and then

click User.

3. In the New Object – User dialog box, type RMSSRVC in the Full name and

User logon name boxes, and then click Next.

4. In the New Object – User dialog box, type a password of your choice in the

Password and Confirm password boxes. Clear the User must change

password at next logon check box, click Next, and then click Finish.

5. Perform the above steps 1-4 for each of the following users: RMSADMIN,

USER1, and USER2.

Finally, add e-mail addresses to the USER1 and USER2 user accounts.

To add e-mail addresses to user accounts

1. In the Active Directory Users and Computers snap-in, right-click USER1, click

Properties, type [email protected] in the E-mail box, and then click OK.

2. Repeat this step for USER2.

3. Close the Active Directory Users and Computers snap-in.

Configure the computer to be used as the RMS cluster (RMS-SRV)

To configure the member server RMS-SRV so that you can install RMS on it, you must

install Windows Server 2003, configure TCP/IP properties, and then join RMS-SRV to the

domain cpandl.com. You must also add the account RMSADMIN as a member to the

local administrators group. This is needed for RMSADMIN to install RMS on RMS-SRV.

Additionally, there are several prerequisite components that must be installed on the

RMS cluster including Internet Information Services (IIS), ASP.NET, Message Queuing,

and SQL Server 2005 Standard Edition.

First, install Windows Server 2003 as a stand-alone server.




domain.)


for a computer name, type RMS-SRV.

13

Next, configure TCP/IP properties so that RMS-SRV has a static IP address of 10.0.0.2.

In addition, configure the DNS server of DC (10.0.0.1).

To configure TCP/IP Properties

1. Log on to RMS-SRV as RMS-SRV\ADMINISTRATOR.

2. Click Start, point to Control Panel, and point to Network Connections, double-

click Local Area Connection, and then click Properties.







dialog box.

Next, join RMS-SRV to the cpandl.com domain.

To join RMS-SRV to the cpandl.com domain

1. Log on to RMS-SRV as CPANDL\ADMINISTRATOR.

2. Click Start, right-click MyComputer, and then click Properties.

3. Click Computer Name tab, click Change.

4. In the Computer Name Changes dialog box, click Domain, and then type

cpandl.com.

5. Click More, and type cpandl.com in Primary DNS suffix of this computer box.

6. Click OK twice.

7. When a Computer Name Changes dialog box appears prompting you for

administrative credentials, provide the credentials, and click OK.

8. When a Computer Name Changes dialog box appears welcoming you to the

cpandl.com domain, click OK.

9. When a Computer Name Changes dialog box appears telling you that the

computer must be restarted, click OK, and click Close.

10. Close the System dialog box.

Finally, add RMSADMIN to the local administrators group on RMS-SRV.

To add RMSADMIN to the local administrators group

1. Click Start, point to Control Panel, point to Administrative Tools, and then

14

click Computer Management.

2. Expand Local Users and Group, and then click Groups.

3. Right-click Administrators, click Add to Group, click Add, and then type

RMSADMIN in the Enter the object names to select (examples) box.

4. Click OK twice and then close Computer Management.

Configure the Office SharePoint Server 2007 server (SPS-SRV)

To configure the Office SharePoint Server 2007 server SPS-SRV, you must install

Windows Server 2003, configure TCP/IP properties, join the computer to the cpandl.com

domain, add the RMS cluster to the Office SharePoint Server 2007 Server's Trusted Sites

Internet Explorer zone, and then install the RMS client application on this server.




domain).


for a computer name, type SPS-SRV.

Next, configure 10.0.0.3 as the IP address for the DNS server.

To configure TCP/IP properties on SPS-SRV

1. Log on to SPS-SRV as CPANDL\ADMINISTRATOR.

2. Click Start, point to Control Panel, point to Network Connections, double-click

Local Area Connection, and then click Properties.


4. Select the Use the following IP address option. In the IP address box, type


5. Select the Use the following DNS server addresses option. In the Preferred



dialog box. Close the Local Area Connection Status dialog box.

7. Restart the computer for the changes to take effect.

Next, add SPS-SRV to the cpandl.com domain.

15

To join SPS-SRV to the cpandl.com domain


2. Click Start, right-click My Computer, and then click Properties.

3. Click Computer Name tab, and then click Change.


cpandl.com.

5. Click More, and type cpandl.com in Primary DNS suffix of this computer box.

6. Click OK twice.


administrative credentials, provide the credentials, and then click OK.




computer must be restarted, click OK.

Next, add the RMS cluster to the Internet Explorer Trusted Sites zone on the Office

SharePoint Server 2007 server so that RMS communication is not interrupted.

To add RMS-SRV to Trusted Sites


2. Click Start, point to Control Panel, and then click Internet Options.

3. Click the Security tab, click Trusted Sites, and then click the Sites button.

4. Type http://RMS-SRV, and then click Add.

5. Click Close, and then click OK.

Finally, install the RMS client on Office SharePoint Server 2007 server.

To install the RMS 1.0 with SP2 client

1. Download the RMS client from http://go.microsoft.com/fwlink/?LinkId=67736. If

you are using a 64-bit version of Windows XP Professional or Windows

Server 2003, download the 64-bit version of the RMS client from

http://go.microsoft.com/fwlink/?LinkId=67935.

2. Double-click WindowsRightsManagementServicesSP2-KB917275-Client-

ENU.exe to start the installation.

3. Click Next.

4. Select the I agree option to accept the End User License Agreement, and then

click Next twice to start the installation.



16

5. Click Close to finish the installation.

Configure the RMS client computer (RMS-CLNT)

To configure RMS-CLNT, you must install Windows XP Professional, configure TCP/IP

properties, join RMS-CLNT to the domain cpandl.com, and then install the RMS client.

You must also install an RMS-enabled application. In this example, you install Microsoft

Office Word 2007 on RMS-CLNT.

To install Windows XP Professional

1. Start your computer using the Windows XP Professional product CD.

2. Follow the instructions that appear on your screen, and when prompted for a

computer name, type RMS-CLNT.

Next, configure TCP/IP properties so that RMS-CLNT has a static IP address of 10.0.0.4.

In addition, configure the DNS server of DC (10.0.0.1).

To configure TCP/IP properties

1. Click Start, click Control Panel, and then double-click Network Connections.

Right-click Local Area Connection, and then click Properties.







dialog box.

6. Restart your computer for the changes to take effect.

Next, join RMS-CLNT to the cpandl.com domain.

To join RMS-CLNT to the cpandl.com domain

1. Log on to DC as CPANDL\ADMINISTRATOR.

2. Click Start, right-click My Computer, and then click Properties.

3. On the Computer Name tab, click Change.


cpandl.com.

5. Click More, and in Primary DNS suffix of this computer, type cpandl.com.

17

6. Click OK twice.


administrative credentials, provide the credentials, and then click OK.




computer must be restarted, click OK.

10. Click OK to close the System Properties dialog box

11. In the System Settings Change dialog box, click Yes.

Next, the RMS client must be downloaded and installed on RMS-CLNT.

To install the RMS 1.0 SP2 client

1. Log on to RMS-CLNT as CPANDL\ADMINISTRATOR.

2. Download the RMS client from http://go.microsoft.com/fwlink/?LinkId=67736. If

you are using a 64-bit version of Windows XP Professional or Windows

Server 2003, download the 64-bit version of the RMS client


3. Double-click WindowsRightsManagementServicesSP2-KB917275-Client-

ENU.exe to start the installation.

4. Click Next.

5. Select the I agree option, and then click Next twice to start the installation.

6. Click Close to finish the installation.

Next, install Microsoft Office Word 2007 Professional.

To install Microsoft Office Word 2007 Professional

1. Click setup.exe on the Microsoft Office 2007 Professional product CD.

2. Click Customize as the installation type, set the installation type to Not

Available for Microsoft Office Access, Microsoft Office Excel, Microsoft Office

InfoPath, Microsoft Office Outlook, Microsoft Office PowerPoint, Microsoft Office

Publisher, and Microsoft Office Visio Viewer, and then click Install Now. This

may take several minutes to complete.

Step 2: Installing and Configuring RMS on RMS-SRV

To install RMS, you must complete the following steps:

Add the Application Server role to RMS-SRV. This will install IIS and ASP.NET.



18

Install Message Queuing

Install SQL Server 2005 Standard Edition

Install the RMS cluster

Configure RMS settings

Register the SCP in Active Directory

Add Application Server role to RMS-SRV

RMS uses IIS and ASP.NET to communicate with the RMS clients. To install IIS and

ASP.NET, you must complete the following steps:

To add the Application Server role

1. Log on to RMS-SRV as CPANDL\ADMINISTRATOR. The Manage Your Server

window appears.

2. Click Add or remove a role.

3. On the Preliminary Steps page of the Configure your Server Wizard, click Next.

4. Click Application Server (IIS, ASP.NET), and then click Next.

5. Select the Enable ASP.NET check box, and then click Next twice.

6. When asked for files from the Windows Server 2003 product CD, insert it into the

CD-ROM drive of the computer.

7. Click Finish to complete the installation.

Install Message Queuing

Message Queuing is used to send information from the RMS cluster to the RMS logging

database and must be installed prior to installing RMS. To install Message Queuing, you

must complete the following steps:

To install Message Queuing

1. Click Start, point to Control Panel, and then click Add or Remove Programs.

2. Click Add/Remove Windows Components.

3. In the Windows Components Wizard dialog box, click Application Server, and

then click the Details button.

4. In the Application Server dialog box, select the Message Queuing check box,

and then click OK.

5. Click Next to start the installation.

6. Click Finish and close the Add or Remove Programs dialog box.

19

Install Microsoft SQL Server 2005 Standard Edition

RMS requires a database used for storing configuration and logging information.

Microsoft SQL Server 2005 Standard Edition is the database that will be used in this

guide. It will be installed on the same computer as the RMS cluster (RMS-SRV). In a

production environment, it is recommended to install the RMS database on a dedicated

computer.

Note

Microsoft SQL Server 2005 Express Edition is also supported as the database

server. However, Microsoft SQL Server 2005 Express Edition is not

recommended for use in production environments because it does not support

adding additional servers to the RMS cluster or the ability to view or modify data

stored in the configuration and logging databases. To download Microsoft SQL

Server 2005 Express Edition, go to http://go.microsoft.com/fwlink/?LinkId=73721.

To install Microsoft SQL Server 2005 Standard Edition, refer to the following steps:

To install Microsoft SQL Server 2005 Standard Edition


2. Start the installation from the Microsoft SQL Server 2005 product CD by double-

clicking Setup.exe.

3. Select the I accept the licensing terms and conditions check box, and then

click Next. When the Installing Prerequisites page reports that the required

components were installed successfully, click Next again.

4. When the system configuration check is complete, click Next on the Welcome to

the Microsoft SQL Server Installation Wizard page to start the installation.

5. If you see no errors on the System Configuration Check page, click Next.

6. Complete the Registration Information page, and then click Next.

7. On the Components to Install page, select the SQL Server Database Services

check box, and then click Next.

8. On the Instance Name page, verify that Default Instance is selected and then

click Next.

9. On the Service Account page, select the Use the built-in System account

option, click Next four times, and then click Install. The installation may take

several minutes to complete.

10. On the Setup Progress page, when the installation has completed and the

status of all the products in the list is Setup finished, click Next, and then click

Finish.


20

Install the RMS cluster

Now that all of the prerequisite software has been installed, it is time to install the RMS

cluster. To download RMS, go to http://go.microsoft.com/fwlink/?LinkId=73722. From

RMS-SRV, you should do the following in order to install RMS:

To install the RMS cluster


2. Start the installation by double-clicking the installation file that you downloaded

from the Microsoft Web site.

3. Click Next.

4. Read the License Agreement, select the I agree option, and then click Next.

5. Accept the default installation folder, click Next, and then click Install.

6. When the installation completes, click Close.

Configure RMS settings

RMS is provisioned and administered by using a local Web site automatically created

during the RMS installation.

To provision RMS using Global Administration Web site

1. Click Start, point to All Programs, point to Windows RMS, and then click

Windows RMS Administration.

2. Click Provision RMS on this Web site.

3. In the User name box under RMS Service Account, type CPANDL\RMSSRVC,

and then type the password for CPANDL\RMSSRVC in the Password box.

4. In the RMS private key password box under Private key protection and

enrollment, enter a strong password, and then confirm this strong password in

the Enter password again box.

5. Type [email protected] in the Administrative contact box.

6. Under RMS Proxy Settings, clear the This computer uses a proxy server to

connect to the Internet check box.

7. Keep the default values for everything else on this page, and then click Submit.

This might take a few minutes to complete.


21

Register the SCP in Active Directory

The RMS service connection point (SCP) in Active Directory allows RMS clients to

discover the RMS cluster automatically. Active Directory SCP registration is not done

automatically during installation. To register the RMS SCP, you must do the following:

To register RMS SCP in Active Directory

1. Log on to RMS-SRV as CPANDL\ADMINISTRATOR or another Active Directory

user account who is a member of the Enterprise Admins group in the CPANDL

Active Directory domain.

2. Click Start, point to All Programs, point to Windows RMS, and then click

Windows RMS Administration.

3. Click Administer RMS on this Web site.

4. Scroll to the bottom of the page and click RMS service connection point.

5. Click Register URL.

Step 3: Installing and Configuring Office SharePoint Server 2007 on SPS-SRV

To install Office SharePoint Server 2007, you must complete the following steps:

Install Microsoft .NET Framework 2.0


Add the Application Server role to SPS-SRV

Install Office SharePoint Server 2007

Configure Office SharePoint Server 2007 for RMS


The Microsoft .NET Framework 2.0 is required by Office SharePoint Server 2007. To

install the .NET Framework 2.0, you must complete the following steps:

To install Microsoft .NET Framework 2.0


2. Download the .NET Framework 2.0 from


3. Double-click dotnetfx.exe to start the installation, and then click Run in the

Open File -- Security Warning dialog box.

4. Click Next, select the I accept the terms of the License Agreement option, and


22

then click Install.



Windows Workflow Foundation, required by Office SharePoint Server 2007, has been

integrated into .NET Framework 3.0. To install the .NET Framework 3.0, you must

complete the following steps:

To install .NET Framework 3.0

1. Download Microsoft .NET Framework 3.0 from


2. Double-click dotnetfx3setup.exe, and then click Run in the Open File -

Security Warning dialog box.

3. Click the I have read and ACCEPT the terms of the license agreement option,

and then click Install.

4. Click Exit to complete the installation.

Add Application Server role to SPS-SRV

Office SharePoint Server 2007 uses the Application Server role, which contains IIS and

ASP.NET, to host Office SharePoint Server 2007 document libraries. To install the

Application Server role, you must complete the following steps:

To add the Application Server role

1. Click Start, point to All Programs, point to Administrative Tools, and then click

Manage Your Server.

2. On the Preliminary Steps page of the Configure your Server Wizard, click Next.

3. Click Application Server (IIS, ASP.NET), and then click Next.

4. Select the Enable ASP.NET check box, and then click Next twice.

5. When prompted for the CD, insert the Windows Server 2003 product CD into the

CD-ROM drive, and then click OK.



23

Install Office SharePoint Server 2007

Once all of the prerequisite components have been installed, you are ready to start

installing Office SharePoint Server 2007. The following steps are required to install Office

SharePoint Server 2007 server:

To install Office SharePoint Server 2007

1. Double-click setup.exe from the Office SharePoint Server 2007 product CDs.

2. Enter your Product Key, and then click Continue.

3. Select the I accept the terms of the agreement check box, and then click

Continue.

4. Click Basic.

5. After installation has completed, make sure that the Run the SharePoint

Products and Technologies Configuration Wizard now check box is selected,

and then click Close.

6. On the SharePoint Products and Technologies Configuration Wizard dialog

box, click Next. Click Yes on the message that appears. This may take several

minutes to complete.


Note

Before you add users to Office SharePoint Server 2007, configure Office

SharePoint Server 2007 for RMS.

Configure Office SharePoint Server 2007 for RMS

After Office SharePoint Server 2007 has been installed, there are several things that

must be completed to integrate Office SharePoint Server 2007 with RMS:

Add the Office SharePoint Server 2007 site to the Local Intranet Internet Explorer

zone.

Add the Office SharePoint Server 2007 server to the RMS certification pipeline.

Enable Information Rights Management in Office SharePoint Server 2007.

Add USER1 and USER2 to the SharePoint site.

Restrict permissions by using RMS.

First, add the Office SharePoint Server 2007 site to the Internet Explorer Trusted Sites

zone on the Office SharePoint Server 2007 computer.

24

To add SPS-SRV to Trusted Sites


2. Click Start, point to Control Panel, and then click Internet Options.

3. Click the Security tab, click Local Intranet, and then click the Sites button.

4. Type http://SPS-SRV, and then click Add.

5. Click Close, and then click OK.

Next, add the Office SharePoint Server 2007 server and RMS Service Group to the RMS

cluster certification pipeline.

Important

By default, the RMS cluster certification pipeline ACL is configured to allow only

the local System account. You must add the permissions in order for Office

SharePoint Server 2007 to integrate with RMS.

To add SPS-SRV to the RMS Certification Pipeline

1. Log on to RMS-SRV as CPANDL\RMSADMIN.

2. Click Start, and then click My Computer.

3. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification.

4. Right-click ServerCertification.asmx, click Properties, and then click the

Security tab.

5. Click Add.

6. Click Object Types, select the Computers check box, and then click OK.

7. Type SPS-SRV, click OK.

8. Click Add.

9. Click Object Types, select the Groups check box, and then click OK.

10. Type RMS-SRV\RMS Service Group, and then click OK.

11. Click OK to close the ServerCertification.asmx Properties dialog box.

Once the RMS cluster certification pipeline has been opened to allow SPS-SRV to

communicate with it, you must configure Office SharePoint Server 2007 to use the RMS

cluster:

To enable Information Rights Management in Office SharePoint Server 2007


2. Click Start, point to Administrative Tools, and then click SharePoint 3.0

Central Administration.

25

3. Click Operations, and then click Information Rights Management.

4. Click Use the default RMS server specified in Active Directory.

5. Click OK.

Next, give USER1 and USER2 access to the RMS SharePoint site so that the Office

SharePoint Server integration with RMS can be verified later in this guide:

To add USER1 and USER2 to the SharePoint site

1. Click Start, point to All Programs, and then click Internet Explorer.

2. Type http://SPS-SRV/ in the address bar, and then click Go. This will open the

default Office SharePoint Server 2007 site that was created during installation.

3. Click Site Actions, point to Site Settings, and then click People and Groups.

4. Click New, and then click Add Users.

5. Type [email protected];[email protected] in the Users/Groups

box, and then click OK.

Create an Office SharePoint Server 2007 permission policy on the default document

library. This permission policy will be used to restrict the ability to print any documents

that are uploaded to the document library:

To restrict permissions using RMS

1. In the same Office SharePoint Server 2007 site, click Home.

2. Click Document Center, click Documents, click Settings, and then click

Document Library Settings.

3. Under the Permissions and Management heading, click Information Rights

Management.

4. Select the Restrict permission to documents in this library on download

check box.

5. Type CPANDL Protected in the Permissions policy title box.

6. Type Restrict CPANDL employees from printing in the Permission policy

description box.

7. Click OK.

Note

In addition to the permissions policy, Office SharePoint Server 2007 will also

automatically apply RMS rights to the document when it is downloaded from the

Office SharePoint Server 2007 site. These rights are determined by the Office

SharePoint Server 2007 group membership for that site. For example, a user

26

who is in the Visitors Office SharePoint Server 2007 group will not be able to

modify the document when it is downloaded from the Office SharePoint

Server 2007 site.

Step 4: Verifying RMS Functionality on RMS-CLNT

To verify the functionality of the RMS deployment, you log on as USER1, create a new

Microsoft Word 2007 document, and upload it to the Office SharePoint Server 2007 site

so that users who download the document will not be able to print it. You then log on as

USER2, download the document from the Office SharePoint Server 2007 site and verify

that the ability to print the document has been restricted.

To create and upload a Microsoft Word document for testing

1. Log on to RMS-CLNT as USER1.

Note

Since USER1 is the author of this document, USER1 will have full rights

to the document, regardless of the RMS rights that are applied to it.

2. Click Start, point to All Programs, point to Microsoft Office, and then click

Microsoft Office Word 2007.

3. Type This document is read-only. You cannot print it. in the new document,

click the Microsoft Office Button, click Save As, and then save the file as RMS-

TST.docx.

4. Close Microsoft Office Word 2007.

5. Click Start, point to All Programs, and then click Internet Explorer.

6. Type http://SPS-SRV/ in the address bar, and then click Go.

7. Click Document Center, and then click Documents.

8. Click Upload, and then click Upload Document.

9. Click Browse, click RMS-TST.docx, and then click Open.

10. Click OK to upload the file, and then click Check In.

By uploading the document into this library, the document receives the

restrictions set on the library.

11. Log off as USER1.

Finally, log on as USER2 and open the document from the Office SharePoint

Server 2007 site.

27

To open a protected document

1. Log on to RMS-CLNT as USER2.

2. Click Start, click All Programs, and then click Internet Explorer.

3. Type http://SPS-SRV/ in the address bar, and then click Go.

4. Click Document Center, and then click Documents.

5. Click RMS-TST, and then click OK to open the document as Read Only.

6. The following message will appear: "Permission to this document is currently

restricted. Microsoft Office must connect to http://rms-srv/_wmcs/licensing

to verify your credentials and download your permission."

7. Click OK.

8. The following message will appear: "Verifying your credentials for opening

content with restricted permissions".

9. The Print button in the toolbar is disabled.

You have successfully deployed, integrated, and demonstrated the functionality of RMS

and Office SharePoint Server 2007, using the simple scenario of uploading a Microsoft

Office Word 2007 document to an Office SharePoint Server 2007 site. You can also use

this deployment to explore some of the additional capabilities of RMS through additional

configuration and testing.

Deploying Windows Rights Management Services …...5 Deploying Windows Rights Management Services...

Documents

Transcript of Deploying Windows Rights Management Services …...5 Deploying Windows Rights Management Services...